Skip to content

NRL-1594 sonarcloudorama #1044

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
axelkrastek1-nhs merged 2 commits into from
Sep 26, 2025
Merged

NRL-1594 sonarcloudorama #1044

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5d282b5
NRL-1594 Use commit hash for external github action dependency
axelkrastek1-nhs Sep 19, 2025
70efcd1
NRL-1594 Avoid expanding variable in block
axelkrastek1-nhs Sep 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/activate-stack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
poetry install --no-root

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/daily-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ jobs:
run: make build

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down
16 changes: 9 additions & 7 deletions .github/workflows/persistent-environment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ jobs:
run: make build

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down Expand Up @@ -89,7 +89,7 @@ jobs:
poetry install --no-root

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down Expand Up @@ -121,11 +121,13 @@ jobs:
terraform -chdir=terraform/infrastructure workspace select ${inactive_stack}

- name: Terraform Plan
env:
DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
run: |
inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
terraform -chdir=terraform/infrastructure plan \
--var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
--var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
--var assume_role_arn=${DEPLOY_ROLE_ARN} \
--var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${inactive_stack}) \
-out tfplan

Expand Down Expand Up @@ -166,7 +168,7 @@ jobs:
fail-on-cache-miss: true

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down Expand Up @@ -219,7 +221,7 @@ jobs:
poetry install --no-root

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down Expand Up @@ -248,7 +250,7 @@ jobs:
poetry install --no-root

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down Expand Up @@ -277,7 +279,7 @@ jobs:
poetry install --no-root

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down
20 changes: 12 additions & 8 deletions .github/workflows/pr-env-deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ jobs:
run: make build

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down Expand Up @@ -121,7 +121,7 @@ jobs:
poetry install --no-root

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down Expand Up @@ -150,10 +150,12 @@ jobs:
terraform -chdir=terraform/infrastructure workspace select ${{ needs.set-environment-id.outputs.environment_id }}

- name: Terraform Plan
env:
DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
run: |
terraform -chdir=terraform/infrastructure plan \
--var-file=etc/dev.tfvars \
--var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
--var assume_role_arn=${DEPLOY_ROLE_ARN} \
--var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ needs.set-environment-id.outputs.environment_id }}) \
-out tfplan

Expand Down Expand Up @@ -203,7 +205,7 @@ jobs:
poetry install --no-root

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand All @@ -213,7 +215,7 @@ jobs:
run: make truststore-pull-client ENV=dev

- name: Configure Dev Account Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-chaining: true
Expand All @@ -240,7 +242,7 @@ jobs:
poetry install --no-root

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down Expand Up @@ -275,7 +277,7 @@ jobs:
poetry install --no-root

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand All @@ -285,7 +287,9 @@ jobs:
run: make truststore-pull-client ENV=dev

- name: Configure Dev Account Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
env:
DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
with:
aws-region: eu-west-2
role-chaining: true
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/pr-env-destroy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ jobs:
poetry install --no-root

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.CI_ROLE_NAME }}
Expand All @@ -80,10 +80,12 @@ jobs:
run: make build get-s3-perms

- name: Terraform Destroy
env:
DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
run: |
terraform -chdir=terraform/infrastructure destroy \
--var-file=etc/dev.tfvars \
--var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
--var assume_role_arn=${DEPLOY_ROLE_ARN} \
-auto-approve

- name: Cleanup Terraform Workspace
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/rollback-stack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
poetry install --no-root

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down
16 changes: 9 additions & 7 deletions .github/workflows/update-lambda-permissions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ jobs:
poetry install --no-root

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down Expand Up @@ -91,7 +91,7 @@ jobs:
poetry install --no-root

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down Expand Up @@ -122,14 +122,14 @@ jobs:
ref: ${{ github.ref }}

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}

- name: Configure Account Role
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-chaining: true
Expand Down Expand Up @@ -180,7 +180,7 @@ jobs:
fail-on-cache-miss: true

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand All @@ -193,10 +193,12 @@ jobs:
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}

- name: Terraform Plan
env:
DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
run: |
terraform -chdir=terraform/infrastructure plan \
--var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
--var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
--var assume_role_arn=${DEPLOY_ROLE_ARN} \
--var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \
--out tfplan

Expand Down Expand Up @@ -239,7 +241,7 @@ jobs:
fail-on-cache-miss: true

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
Expand Down